home

everything.exe

TODO: <产品名>

TODO: <公司名>

The executable everything.exe has been detected as malware by 8 anti-virus scanners. It runs as a separate (within the context of its own process) windows Service named “SSFK”. While running, it connects to the Internet address a9.a2.a86c.ip4.static.sl-reverse.com on port 80 using the HTTP protocol.
Publisher:
TODO: <公司名>

Product:
TODO: <产品名>

Description:
TODO: <文件说明>

Version:
2.0.6.38

MD5:
1cf0d5ae5bf0b7cf4a6c8d40d4a8da5d

SHA-1:
b48b41f852f9baf076bc5a13ea8fabe88e932d46

SHA-256:
acadf1f845235e178a1d04cafd542fd5bf5879b3ae5e5a927333a2ed5b37abbb

Scanner detections:
8 / 68

Status:
Malware

Analysis date:
4/26/2024 1:20:22 AM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Gen:Variant.Graftor.245760
484

Arcabit
Trojan.Graftor.D3C000
1.0.0.582

Bitdefender
Gen:Variant.Graftor.245760
1.0.20.1410

Emsisoft Anti-Malware
Gen:Variant.Graftor.245760
8.15.10.09.11

F-Secure
Gen:Variant.Graftor.245760
11.2015-09-10_6

G Data
Gen:Variant.Graftor.245760
15.10.25

Kaspersky
HEUR:Trojan.Win32.Generic
14.0.0.1303

MicroWorld eScan
Gen:Variant.Graftor.245760
16.0.0.846

File size:
159 KB (162,816 bytes)

Product version:
2.0.6.38

Copyright:
Copyright (C) 2015

Original file name:
SSFK.exe

File type:
Executable application (Win32 EXE)

Language:
Chinese (Simplified, China)

Common path:
C:\users\{user}\appdata\local\temp\{random}.tmp\everything.exe

File PE Metadata
Compilation timestamp:
10/9/2015 12:54:22 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
11.0

CTPH (ssdeep):
3072:JVhu1+UznzLUDVkJmLLokgmZJ+oBUcxvxrU:JVwwUzn0DKJY/XZJ9X

Entry address:
0x10260

Entry point:
E8, F9, 69, 00, 00, E9, 00, 00, 00, 00, 6A, 14, 68, B0, 4A, 42, 00, E8, 1A, 15, 00, 00, E8, C6, 6B, 00, 00, 0F, B7, F0, 6A, 02, E8, 8C, 69, 00, 00, 59, B8, 4D, 5A, 00, 00, 66, 39, 05, 00, 00, 40, 00, 74, 04, 33, DB, EB, 33, A1, 3C, 00, 40, 00, 81, B8, 00, 00, 40, 00, 50, 45, 00, 00, 75, EB, B9, 0B, 01, 00, 00, 66, 39, 88, 18, 00, 40, 00, 75, DD, 33, DB, 83, B8, 74, 00, 40, 00, 0E, 76, 09, 39, 98, E8, 00, 40, 00, 0F, 95, C3, 89, 5D, E4, E8, 1B, 66, 00, 00, 85, C0, 75, 08, 6A, 1C, E8, DC, 00, 00, 00, 59, E8...
 
[+]

Entropy:
6.1430

Code size:
114 KB (116,736 bytes)

Service
Display name:
SSFK

Description:
System Agent Service

Type:
Win32OwnProcess


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to a9.a2.a86c.ip4.static.sl-reverse.com  (108.168.162.169:80)

TCP (HTTP):
Connects to c1.2f.6132.ip4.static.sl-reverse.com  (50.97.47.193:80)

TCP (HTTP):
Connects to 7d.a0.a86c.ip4.static.sl-reverse.com  (108.168.160.125:80)

Remove everything.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.